An error occurred:

Check: ZWAS0050

zOS RACF STIG: ZWAS0050 (in versions v6 r43 through v6 r30)

Title

The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements. (Cat II impact)

Discussion

Requests processed by the WebSphere Application Server (WAS) are dependent on directives configured in the HTTP server httpd.conf file. These directives specify critical files containing the WAS plug-in and WAS configuration. These files provide the operational and security characteristics of WAS. Failure to properly configure WAS-related directives could lead to undesirable operations and degraded security. This exposure may compromise the availability and integrity of applications and customer data.

Check Content

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(AHTTPD) Collect the following information for each IBM HTTP server: - The JCL procedure library and member name used to start each IBM HTTP server. DOC(IHSPROCS) - For each IBM HTTP server, supply the following information: Web server ID defined to the ACP Web server administration group defined to the ACP Web server standard HFS directory b) Review the HTTP server JCL procedure to determine the httpd.conf file to review. c) Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit NOTE: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings. d) If all WAS-related directives are configured properly, there is NO FINDING. e) If any WAS-related directive is not configured properly, this is a FINDING.

Fix Text

The IAO will ensure that the WebSphere Application Server directives in the httpd.conf file are configured as outlined below. Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit -/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit NOTE: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings.

Additional Identifiers

Rule ID: SV-3901r2_rule

Vulnerability ID: V-3901

Group Title: ZWAS0050

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000068

The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
CCI-000382

The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
CCI-001762

The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-17 (2)

Protection Of Confidentiality / Integrity Using Encryption
CM-7

Least Functionality
CM-7 (1)

Periodic Review